Web Evolution
  • Static content:-  Server serves web pages created by people.
  • Dynamic content via server-side code:- Server generates web pages based on input from user and a database using code executed on server.
    Ex - CGI scripts (Perl, Python, PHP, Ruby, Java, ASP, etc.)
  • Dynamic content via client-side code:- Code embedded in web page is executed in browser and can manipulate web page as a data structure (Domain Object Model = DOM)
    Ex. - JavaScript, VBScript, Active X controls, Java applets
  • AJAX (Asynchronous JavaScript and XML):- Framework for updating page by communicating between browser and remote servers.

Attack Surface

Web applications have a large attack surface  places that might contain vulnerabilities that can be exploited. A vault with a single guarded door is easier to secure than a building with many doors and windows.
  • Client side surface:- form inputs (including hiddenfields), cookies, headers, query parameters, uploaded files, mobile code
  • Server attack surface: web service methods, databases
  • AJAX attack surface: union of the above

These were divided into six categories:
Broken Authentication (62%) - This vulnerability relates to the application’s login mechanism, which may enable the attacker to guess username and passwords and thus launch a brute-force attack.

Broken Access Controls (71%) - The application fails to properly protect access to sensitive information. An attacker can be able to view other user’s personal information.

SQL Injection (32%) - This allows the attacker to submit arbitrary input to the application and interfere with the application’s back-end database. An attacker may be able to modify or retrieve data from the application or execute commands on the database.

Cross-site Scripting (94%) - This vulnerability enables the attacker to input malicious javascript to the application and potentially gain access to their data, or carrying other attacks against them.

Information Leakage (78%) - In this case the application exposes sensitive data or information that might be useful for the attacker when targeting the application.

Cross-site Request Forgery (92%) - This allows the attacker to create malicious and unintended actions in the application with other user’s behalf.

The OWASP Top 10 - 2013 Release Candidate includes the following changes as compared to the 2010 edition:
  • A1 Injection
  • A2 Broken Authentication and Session Management (was formerly A3)
  • A3 Cross-Site Scripting (XSS) (was formerly A2)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration (was formerly A6)
  • A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
  • A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
  • A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
  • A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
  • A10 Unvalidated Redirects and Forwards

Like it ? Share it.

Post a Comment

  1. I've been exploring for a little bit for any high-quality articles or blog posts in this sort of space .
    Exploring in Yahoo I at last stumbled upon this website. Studying this information So i'm happy to express that I've a very excellent uncanny feeling I found out exactly what I needed.
    I so much no doubt will make certain to do not forget this site and give it a
    glance regularly.

    my webpage online casino

  2. My spouse and I stumbled over here different web address and thought I
    might as well check things out. I like what I see so now i'm
    following you. Look forward to looking at your web page

    Also visit my web blog - payday uk


Comment Rules :
1. Do not post Adult/illegal Links.
2. Try to comment in only English Language.
3. Do not post other website's links which are useless.
4. Your Comment should be based on the Topic for other queries Kindly Visit our Contact Us Page.
5. Do not use Abusive Language.
6. Respect each other.
Thank You for following the rules. Please Comment....